2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
15 #include <vnet/ip/ip.h>
16 #include <vnet/ip/ip_source_and_port_range_check.h>
17 #include <vnet/dpo/load_balance.h>
18 #include <vnet/fib/fib_table.h>
19 #include <vnet/fib/ip4_fib.h>
22 * @brief The pool of range chack DPOs
24 static protocol_port_range_dpo_t *ppr_dpo_pool;
27 * @brief Dynamically registered DPO type
29 static dpo_type_t ppr_dpo_type;
31 vlib_node_registration_t ip4_source_port_and_range_check_rx;
32 vlib_node_registration_t ip4_source_port_and_range_check_tx;
34 #define foreach_ip4_source_and_port_range_check_error \
35 _(CHECK_FAIL, "ip4 source and port range check bad packets") \
36 _(CHECK_OK, "ip4 source and port range check good packets")
40 #define _(sym,str) IP4_SOURCE_AND_PORT_RANGE_CHECK_ERROR_##sym,
41 foreach_ip4_source_and_port_range_check_error
43 IP4_SOURCE_AND_PORT_RANGE_CHECK_N_ERROR,
44 } ip4_source_and_port_range_check_error_t;
46 static char *ip4_source_and_port_range_check_error_strings[] = {
47 #define _(sym,string) string,
48 foreach_ip4_source_and_port_range_check_error
57 ip4_address_t src_addr;
60 } ip4_source_and_port_range_check_trace_t;
63 format_ip4_source_and_port_range_check_trace (u8 * s, va_list * va)
65 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*va, vlib_main_t *);
66 CLIB_UNUSED (vlib_node_t * node) = va_arg (*va, vlib_node_t *);
67 ip4_source_and_port_range_check_trace_t *t =
68 va_arg (*va, ip4_source_and_port_range_check_trace_t *);
71 s = format (s, "PASS (bypass case)");
73 s = format (s, "fib %d src ip %U %s dst port %d: %s",
74 t->fib_index, format_ip4_address, &t->src_addr,
75 t->is_tcp ? "TCP" : "UDP", (u32) t->port,
76 (t->pass == 1) ? "PASS" : "FAIL");
82 IP4_SOURCE_AND_PORT_RANGE_CHECK_NEXT_DROP,
83 IP4_SOURCE_AND_PORT_RANGE_CHECK_N_NEXT,
84 } ip4_source_and_port_range_check_next_t;
88 check_adj_port_range_x1 (const protocol_port_range_dpo_t * ppr_dpo,
89 u16 dst_port, u32 next)
91 const protocol_port_range_t *range;
95 u16x8vec_t sum, sum_equal_diff2;
96 u16 sum_nonzero, sum_equal, winner_mask;
99 if (NULL == ppr_dpo || dst_port == 0)
100 return IP4_SOURCE_AND_PORT_RANGE_CHECK_NEXT_DROP;
102 /* Make the obvious screw-case work. A variant also works w/ no MMX */
103 if (PREDICT_FALSE (dst_port == 65535))
108 i < VLIB_BUFFER_PRE_DATA_SIZE / sizeof (protocol_port_range_t);
111 for (j = 0; j < 8; j++)
112 if (ppr_dpo->blocks[i].low.as_u16[j] == 65535)
115 return IP4_SOURCE_AND_PORT_RANGE_CHECK_NEXT_DROP;
118 key.as_u16x8 = u16x8_splat (dst_port);
120 for (i = 0; i < ppr_dpo->n_used_blocks; i++)
123 u16x8_sub_saturate (ppr_dpo->blocks[i].low.as_u16x8, key.as_u16x8);
125 u16x8_sub_saturate (ppr_dpo->blocks[i].hi.as_u16x8, key.as_u16x8);
126 sum.as_u16x8 = u16x8_add (diff1.as_u16x8, diff2.as_u16x8);
127 sum_equal_diff2.as_u16x8 =
128 u16x8_is_equal (sum.as_u16x8, diff2.as_u16x8);
129 sum_nonzero = ~u16x8_zero_byte_mask (sum.as_u16x8);
130 sum_equal = ~u16x8_zero_byte_mask (sum_equal_diff2.as_u16x8);
131 winner_mask = sum_nonzero & sum_equal;
136 return IP4_SOURCE_AND_PORT_RANGE_CHECK_NEXT_DROP;
139 always_inline protocol_port_range_dpo_t *
140 protocol_port_range_dpo_get (index_t index)
142 return (pool_elt_at_index (ppr_dpo_pool, index));
146 ip4_source_and_port_range_check_inline (vlib_main_t * vm,
147 vlib_node_runtime_t * node,
148 vlib_frame_t * frame, int is_tx)
150 ip4_main_t *im = &ip4_main;
151 ip_lookup_main_t *lm = &im->lookup_main;
152 ip_config_main_t *rx_cm =
153 &lm->feature_config_mains[VNET_IP_RX_UNICAST_FEAT];
154 ip_config_main_t *tx_cm = &lm->feature_config_mains[VNET_IP_TX_FEAT];
155 u32 n_left_from, *from, *to_next;
157 vlib_node_runtime_t *error_node = node;
158 u32 good_packets = 0;
161 from = vlib_frame_vector_args (frame);
162 n_left_from = frame->n_vectors;
163 next_index = node->cached_next_index;
165 while (n_left_from > 0)
169 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
172 /* while (n_left_from >= 4 && n_left_to_next >= 2) */
174 /* vlib_buffer_t *b0, *b1; */
175 /* ip4_header_t *ip0, *ip1; */
176 /* ip4_fib_mtrie_t *mtrie0, *mtrie1; */
177 /* ip4_fib_mtrie_leaf_t leaf0, leaf1; */
178 /* ip_source_and_port_range_check_config_t *c0, *c1; */
179 /* ip_adjacency_t *adj0 = 0, *adj1 = 0; */
180 /* u32 bi0, next0, adj_index0, pass0, save_next0, fib_index0; */
181 /* u32 bi1, next1, adj_index1, pass1, save_next1, fib_index1; */
182 /* udp_header_t *udp0, *udp1; */
184 /* /\* Prefetch next iteration. *\/ */
186 /* vlib_buffer_t *p2, *p3; */
188 /* p2 = vlib_get_buffer (vm, from[2]); */
189 /* p3 = vlib_get_buffer (vm, from[3]); */
191 /* vlib_prefetch_buffer_header (p2, LOAD); */
192 /* vlib_prefetch_buffer_header (p3, LOAD); */
194 /* CLIB_PREFETCH (p2->data, sizeof (ip0[0]), LOAD); */
195 /* CLIB_PREFETCH (p3->data, sizeof (ip1[0]), LOAD); */
198 /* bi0 = to_next[0] = from[0]; */
199 /* bi1 = to_next[1] = from[1]; */
202 /* n_left_from -= 2; */
203 /* n_left_to_next -= 2; */
205 /* b0 = vlib_get_buffer (vm, bi0); */
206 /* b1 = vlib_get_buffer (vm, bi1); */
209 /* vec_elt (im->fib_index_by_sw_if_index, */
210 /* vnet_buffer (b0)->sw_if_index[VLIB_RX]); */
212 /* vec_elt (im->fib_index_by_sw_if_index, */
213 /* vnet_buffer (b1)->sw_if_index[VLIB_RX]); */
215 /* ip0 = vlib_buffer_get_current (b0); */
216 /* ip1 = vlib_buffer_get_current (b1); */
220 /* c0 = vnet_get_config_data (&tx_cm->config_main, */
221 /* &b0->current_config_index, */
222 /* &next0, sizeof (c0[0])); */
223 /* c1 = vnet_get_config_data (&tx_cm->config_main, */
224 /* &b1->current_config_index, */
225 /* &next1, sizeof (c1[0])); */
229 /* c0 = vnet_get_config_data (&rx_cm->config_main, */
230 /* &b0->current_config_index, */
231 /* &next0, sizeof (c0[0])); */
232 /* c1 = vnet_get_config_data (&rx_cm->config_main, */
233 /* &b1->current_config_index, */
234 /* &next1, sizeof (c1[0])); */
237 /* /\* we can't use the default VRF here... *\/ */
238 /* for (i = 0; i < IP_SOURCE_AND_PORT_RANGE_CHECK_N_PROTOCOLS; i++) */
240 /* ASSERT (c0->fib_index[i] && c1->fib_index[i]); */
246 /* if (ip0->protocol == IP_PROTOCOL_UDP) */
249 /* [IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_UDP_IN]; */
250 /* if (ip0->protocol == IP_PROTOCOL_TCP) */
253 /* [IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_TCP_IN]; */
257 /* if (ip0->protocol == IP_PROTOCOL_UDP) */
260 /* [IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_UDP_OUT]; */
261 /* if (ip0->protocol == IP_PROTOCOL_TCP) */
264 /* [IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_TCP_OUT]; */
267 /* if (PREDICT_TRUE (fib_index0 != ~0)) */
270 /* mtrie0 = &vec_elt_at_index (im->fibs, fib_index0)->mtrie; */
272 /* leaf0 = IP4_FIB_MTRIE_LEAF_ROOT; */
274 /* leaf0 = ip4_fib_mtrie_lookup_step (mtrie0, leaf0, */
275 /* &ip0->src_address, 0); */
277 /* leaf0 = ip4_fib_mtrie_lookup_step (mtrie0, leaf0, */
278 /* &ip0->src_address, 1); */
280 /* leaf0 = ip4_fib_mtrie_lookup_step (mtrie0, leaf0, */
281 /* &ip0->src_address, 2); */
283 /* leaf0 = ip4_fib_mtrie_lookup_step (mtrie0, leaf0, */
284 /* &ip0->src_address, 3); */
286 /* adj_index0 = ip4_fib_mtrie_leaf_get_adj_index (leaf0); */
288 /* ASSERT (adj_index0 == ip4_fib_lookup_with_table (im, fib_index0, */
289 /* &ip0->src_address, */
291 /* /\* use dflt rt *\/ */
293 /* adj0 = ip_get_adjacency (lm, adj_index0); */
298 /* if (ip1->protocol == IP_PROTOCOL_UDP) */
301 /* [IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_UDP_IN]; */
302 /* if (ip1->protocol == IP_PROTOCOL_TCP) */
305 /* [IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_TCP_IN]; */
309 /* if (ip1->protocol == IP_PROTOCOL_UDP) */
312 /* [IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_UDP_OUT]; */
313 /* if (ip1->protocol == IP_PROTOCOL_TCP) */
316 /* [IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_TCP_OUT]; */
319 /* if (PREDICT_TRUE (fib_index1 != ~0)) */
322 /* mtrie1 = &vec_elt_at_index (im->fibs, fib_index1)->mtrie; */
324 /* leaf1 = IP4_FIB_MTRIE_LEAF_ROOT; */
326 /* leaf1 = ip4_fib_mtrie_lookup_step (mtrie1, leaf1, */
327 /* &ip1->src_address, 0); */
329 /* leaf1 = ip4_fib_mtrie_lookup_step (mtrie1, leaf1, */
330 /* &ip1->src_address, 1); */
332 /* leaf1 = ip4_fib_mtrie_lookup_step (mtrie1, leaf1, */
333 /* &ip1->src_address, 2); */
335 /* leaf1 = ip4_fib_mtrie_lookup_step (mtrie1, leaf1, */
336 /* &ip1->src_address, 3); */
338 /* adj_index1 = ip4_fib_mtrie_leaf_get_adj_index (leaf1); */
340 /* ASSERT (adj_index1 == ip4_fib_lookup_with_table (im, fib_index1, */
341 /* &ip1->src_address, */
343 /* adj1 = ip_get_adjacency (lm, adj_index1); */
347 /* pass0 |= adj0 == 0; */
348 /* pass0 |= ip4_address_is_multicast (&ip0->src_address); */
350 /* ip0->src_address.as_u32 == clib_host_to_net_u32 (0xFFFFFFFF); */
351 /* pass0 |= (ip0->protocol != IP_PROTOCOL_UDP) */
352 /* && (ip0->protocol != IP_PROTOCOL_TCP); */
355 /* pass1 |= adj1 == 0; */
356 /* pass1 |= ip4_address_is_multicast (&ip1->src_address); */
358 /* ip1->src_address.as_u32 == clib_host_to_net_u32 (0xFFFFFFFF); */
359 /* pass1 |= (ip1->protocol != IP_PROTOCOL_UDP) */
360 /* && (ip1->protocol != IP_PROTOCOL_TCP); */
362 /* save_next0 = next0; */
363 /* udp0 = ip4_next_header (ip0); */
364 /* save_next1 = next1; */
365 /* udp1 = ip4_next_header (ip1); */
367 /* if (PREDICT_TRUE (pass0 == 0)) */
369 /* good_packets++; */
370 /* next0 = check_adj_port_range_x1 */
371 /* (adj0, clib_net_to_host_u16 (udp0->dst_port), next0); */
372 /* good_packets -= (save_next0 != next0); */
373 /* b0->error = error_node->errors */
374 /* [IP4_SOURCE_AND_PORT_RANGE_CHECK_ERROR_CHECK_FAIL]; */
377 /* if (PREDICT_TRUE (pass1 == 0)) */
379 /* good_packets++; */
380 /* next1 = check_adj_port_range_x1 */
381 /* (adj1, clib_net_to_host_u16 (udp1->dst_port), next1); */
382 /* good_packets -= (save_next1 != next1); */
383 /* b1->error = error_node->errors */
384 /* [IP4_SOURCE_AND_PORT_RANGE_CHECK_ERROR_CHECK_FAIL]; */
387 /* if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) */
388 /* && (b0->flags & VLIB_BUFFER_IS_TRACED))) */
390 /* ip4_source_and_port_range_check_trace_t *t = */
391 /* vlib_add_trace (vm, node, b0, sizeof (*t)); */
392 /* t->pass = next0 == save_next0; */
393 /* t->bypass = pass0; */
394 /* t->fib_index = fib_index0; */
395 /* t->src_addr.as_u32 = ip0->src_address.as_u32; */
396 /* t->port = (pass0 == 0) ? */
397 /* clib_net_to_host_u16 (udp0->dst_port) : 0; */
398 /* t->is_tcp = ip0->protocol == IP_PROTOCOL_TCP; */
401 /* if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) */
402 /* && (b1->flags & VLIB_BUFFER_IS_TRACED))) */
404 /* ip4_source_and_port_range_check_trace_t *t = */
405 /* vlib_add_trace (vm, node, b1, sizeof (*t)); */
406 /* t->pass = next1 == save_next1; */
407 /* t->bypass = pass1; */
408 /* t->fib_index = fib_index1; */
409 /* t->src_addr.as_u32 = ip1->src_address.as_u32; */
410 /* t->port = (pass1 == 0) ? */
411 /* clib_net_to_host_u16 (udp1->dst_port) : 0; */
412 /* t->is_tcp = ip1->protocol == IP_PROTOCOL_TCP; */
415 /* vlib_validate_buffer_enqueue_x2 (vm, node, next_index, */
416 /* to_next, n_left_to_next, */
417 /* bi0, bi1, next0, next1); */
420 while (n_left_from > 0 && n_left_to_next > 0)
424 ip_source_and_port_range_check_config_t *c0;
425 u32 bi0, next0, lb_index0, pass0, save_next0, fib_index0;
427 const protocol_port_range_dpo_t *ppr_dpo0 = NULL;
437 b0 = vlib_get_buffer (vm, bi0);
440 vec_elt (im->fib_index_by_sw_if_index,
441 vnet_buffer (b0)->sw_if_index[VLIB_RX]);
444 vlib_buffer_advance (b0, sizeof (ethernet_header_t));
446 ip0 = vlib_buffer_get_current (b0);
450 c0 = vnet_get_config_data
451 (&tx_cm->config_main, &b0->current_config_index,
452 &next0, sizeof (c0[0]));
456 c0 = vnet_get_config_data
457 (&rx_cm->config_main, &b0->current_config_index,
458 &next0, sizeof (c0[0]));
461 /* we can't use the default VRF here... */
462 for (i = 0; i < IP_SOURCE_AND_PORT_RANGE_CHECK_N_PROTOCOLS; i++)
464 ASSERT (c0->fib_index[i]);
470 if (ip0->protocol == IP_PROTOCOL_UDP)
473 [IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_UDP_IN];
474 if (ip0->protocol == IP_PROTOCOL_TCP)
477 [IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_TCP_IN];
481 if (ip0->protocol == IP_PROTOCOL_UDP)
484 [IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_UDP_OUT];
485 if (ip0->protocol == IP_PROTOCOL_TCP)
488 [IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_TCP_OUT];
491 if (fib_index0 != ~0)
493 lb_index0 = ip4_fib_forwarding_lookup (fib_index0,
497 load_balance_get_bucket_i (load_balance_get (lb_index0), 0);
499 if (ppr_dpo_type == dpo->dpoi_type)
501 ppr_dpo0 = protocol_port_range_dpo_get (dpo->dpoi_index);
504 * else the lookup hit an enty that was no inserted
505 * by this range checker, which is the default route
509 * $$$ which (src,dst) categories should we always pass?
512 pass0 |= ip4_address_is_multicast (&ip0->src_address);
514 ip0->src_address.as_u32 == clib_host_to_net_u32 (0xFFFFFFFF);
515 pass0 |= (ip0->protocol != IP_PROTOCOL_UDP)
516 && (ip0->protocol != IP_PROTOCOL_TCP);
519 udp0 = ip4_next_header (ip0);
521 if (PREDICT_TRUE (pass0 == 0))
524 next0 = check_adj_port_range_x1
525 (ppr_dpo0, clib_net_to_host_u16 (udp0->dst_port), next0);
526 good_packets -= (save_next0 != next0);
527 b0->error = error_node->errors
528 [IP4_SOURCE_AND_PORT_RANGE_CHECK_ERROR_CHECK_FAIL];
531 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
532 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
534 ip4_source_and_port_range_check_trace_t *t =
535 vlib_add_trace (vm, node, b0, sizeof (*t));
536 t->pass = next0 == save_next0;
538 t->fib_index = fib_index0;
539 t->src_addr.as_u32 = ip0->src_address.as_u32;
540 t->port = (pass0 == 0) ?
541 clib_net_to_host_u16 (udp0->dst_port) : 0;
542 t->is_tcp = ip0->protocol == IP_PROTOCOL_TCP;
546 vlib_buffer_advance (b0, -sizeof (ethernet_header_t));
548 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
549 to_next, n_left_to_next,
553 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
557 vlib_node_increment_counter (vm, ip4_source_port_and_range_check_tx.index,
558 IP4_SOURCE_AND_PORT_RANGE_CHECK_ERROR_CHECK_OK,
561 vlib_node_increment_counter (vm, ip4_source_port_and_range_check_rx.index,
562 IP4_SOURCE_AND_PORT_RANGE_CHECK_ERROR_CHECK_OK,
564 return frame->n_vectors;
569 ip4_source_and_port_range_check_rx (vlib_main_t * vm,
570 vlib_node_runtime_t * node,
571 vlib_frame_t * frame)
573 return ip4_source_and_port_range_check_inline (vm, node, frame,
578 ip4_source_and_port_range_check_tx (vlib_main_t * vm,
579 vlib_node_runtime_t * node,
580 vlib_frame_t * frame)
582 return ip4_source_and_port_range_check_inline (vm, node, frame,
586 /* Note: Calling same function for both RX and TX nodes
587 as always checking dst_port, although
588 if this changes can easily make new function
592 VLIB_REGISTER_NODE (ip4_source_port_and_range_check_rx) = {
593 .function = ip4_source_and_port_range_check_rx,
594 .name = "ip4-source-and-port-range-check-rx",
595 .vector_size = sizeof (u32),
597 .n_errors = ARRAY_LEN(ip4_source_and_port_range_check_error_strings),
598 .error_strings = ip4_source_and_port_range_check_error_strings,
600 .n_next_nodes = IP4_SOURCE_AND_PORT_RANGE_CHECK_N_NEXT,
602 [IP4_SOURCE_AND_PORT_RANGE_CHECK_NEXT_DROP] = "error-drop",
605 .format_buffer = format_ip4_header,
606 .format_trace = format_ip4_source_and_port_range_check_trace,
611 VLIB_REGISTER_NODE (ip4_source_port_and_range_check_tx) = {
612 .function = ip4_source_and_port_range_check_tx,
613 .name = "ip4-source-and-port-range-check-tx",
614 .vector_size = sizeof (u32),
616 .n_errors = ARRAY_LEN(ip4_source_and_port_range_check_error_strings),
617 .error_strings = ip4_source_and_port_range_check_error_strings,
619 .n_next_nodes = IP4_SOURCE_AND_PORT_RANGE_CHECK_N_NEXT,
621 [IP4_SOURCE_AND_PORT_RANGE_CHECK_NEXT_DROP] = "error-drop",
624 .format_buffer = format_ip4_header,
625 .format_trace = format_ip4_source_and_port_range_check_trace,
630 set_ip_source_and_port_range_check (vlib_main_t * vm,
632 u32 sw_if_index, u32 is_add)
634 ip4_main_t *im = &ip4_main;
635 ip_lookup_main_t *lm = &im->lookup_main;
636 ip_config_main_t *rx_cm =
637 &lm->feature_config_mains[VNET_IP_RX_UNICAST_FEAT];
638 ip_config_main_t *tx_cm = &lm->feature_config_mains[VNET_IP_TX_FEAT];
640 ip_source_and_port_range_check_config_t config;
645 for (i = 0; i < IP_SOURCE_AND_PORT_RANGE_CHECK_N_PROTOCOLS; i++)
647 config.fib_index[i] = fib_index[i];
650 /* For OUT we are in the RX path */
651 if ((fib_index[IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_TCP_OUT] != ~0) ||
652 (fib_index[IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_UDP_OUT] != ~0))
654 feature_index = im->ip4_unicast_rx_feature_source_and_port_range_check;
656 vec_validate (rx_cm->config_index_by_sw_if_index, sw_if_index);
658 ci = rx_cm->config_index_by_sw_if_index[sw_if_index];
660 ? vnet_config_add_feature
661 : vnet_config_del_feature)
662 (vm, &rx_cm->config_main, ci, feature_index, &config,
664 rx_cm->config_index_by_sw_if_index[sw_if_index] = ci;
667 /* For IN we are in the TX path */
668 if ((fib_index[IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_TCP_IN] != ~0) ||
669 (fib_index[IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_UDP_IN] != ~0))
671 feature_index = im->ip4_unicast_tx_feature_source_and_port_range_check;
673 vec_validate (tx_cm->config_index_by_sw_if_index, sw_if_index);
675 ci = tx_cm->config_index_by_sw_if_index[sw_if_index];
677 ? vnet_config_add_feature
678 : vnet_config_del_feature)
679 (vm, &tx_cm->config_main, ci, feature_index, &config,
681 tx_cm->config_index_by_sw_if_index[sw_if_index] = ci;
683 vnet_config_update_tx_feature_count (lm, tx_cm, sw_if_index, is_add);
688 static clib_error_t *
689 set_ip_source_and_port_range_check_fn (vlib_main_t * vm,
690 unformat_input_t * input,
691 vlib_cli_command_t * cmd)
693 vnet_main_t *vnm = vnet_get_main ();
694 ip4_main_t *im = &ip4_main;
695 clib_error_t *error = 0;
697 u32 sw_if_index = ~0;
698 u32 vrf_id[IP_SOURCE_AND_PORT_RANGE_CHECK_N_PROTOCOLS];
699 u32 fib_index[IP_SOURCE_AND_PORT_RANGE_CHECK_N_PROTOCOLS];
706 for (i = 0; i < IP_SOURCE_AND_PORT_RANGE_CHECK_N_PROTOCOLS; i++)
712 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
714 if (unformat (input, "%U", unformat_vnet_sw_interface, vnm,
719 (input, "tcp-out-vrf %d",
720 &vrf_id[IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_TCP_OUT]))
724 (input, "udp-out-vrf %d",
725 &vrf_id[IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_UDP_OUT]))
729 (input, "tcp-in-vrf %d",
730 &vrf_id[IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_TCP_IN]))
734 (input, "udp-in-vrf %d",
735 &vrf_id[IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_UDP_IN]))
737 else if (unformat (input, "del"))
743 if (sw_if_index == ~0)
744 return clib_error_return (0, "Interface required but not specified");
747 return clib_error_return (0,
748 "TCP or UDP VRF ID required but not specified");
750 for (i = 0; i < IP_SOURCE_AND_PORT_RANGE_CHECK_N_PROTOCOLS; i++)
754 return clib_error_return (0,
755 "TCP, UDP VRF ID should not be 0 (default). Should be distinct VRF for this purpose. ");
759 p = hash_get (im->fib_index_by_table_id, vrf_id[i]);
762 return clib_error_return (0, "Invalid VRF ID %d", vrf_id[i]);
768 set_ip_source_and_port_range_check (vm, fib_index, sw_if_index, is_add);
776 return clib_error_return
778 "set source and port-range on interface returned an unexpected value: %d",
785 VLIB_CLI_COMMAND (set_interface_ip_source_and_port_range_check_command,
787 .path = "set interface ip source-and-port-range-check",
788 .function = set_ip_source_and_port_range_check_fn,
789 .short_help = "set int ip source-and-port-range-check <intfc> [tcp-out-vrf <n>] [udp-out-vrf <n>] [tcp-in-vrf <n>] [udp-in-vrf <n>] [del]",
794 format_ppr_dpo (u8 * s, va_list * args)
796 index_t index = va_arg (args, index_t);
797 CLIB_UNUSED (u32 indent) = va_arg (args, u32);
799 protocol_port_range_dpo_t *ppr_dpo;
803 ppr_dpo = protocol_port_range_dpo_get (index);
805 s = format (s, "allow ");
807 for (i = 0; i < ppr_dpo->n_used_blocks; i++)
809 for (j = 0; j < 8; j++)
811 if (ppr_dpo->blocks[i].low.as_u16[j])
814 s = format (s, ", ");
815 if (ppr_dpo->blocks[i].hi.as_u16[j] >
816 (ppr_dpo->blocks[i].low.as_u16[j] + 1))
818 format (s, "%d-%d", (u32) ppr_dpo->blocks[i].low.as_u16[j],
819 (u32) ppr_dpo->blocks[i].hi.as_u16[j] - 1);
821 s = format (s, "%d", ppr_dpo->blocks[i].low.as_u16[j]);
830 ppr_dpo_lock (dpo_id_t * dpo)
835 ppr_dpo_unlock (dpo_id_t * dpo)
839 const static dpo_vft_t ppr_vft = {
840 .dv_lock = ppr_dpo_lock,
841 .dv_unlock = ppr_dpo_unlock,
842 .dv_format = format_ppr_dpo,
845 const static char *const ppr_ip4_nodes[] = {
846 "ip4-source-and-port-range-check-rx",
850 const static char *const *const ppr_nodes[DPO_PROTO_NUM] = {
851 [DPO_PROTO_IP4] = ppr_ip4_nodes,
855 ip4_source_and_port_range_check_init (vlib_main_t * vm)
857 source_range_check_main_t *srm = &source_range_check_main;
860 srm->vnet_main = vnet_get_main ();
862 ppr_dpo_type = dpo_register_new_type (&ppr_vft, ppr_nodes);
867 VLIB_INIT_FUNCTION (ip4_source_and_port_range_check_init);
869 protocol_port_range_dpo_t *
870 protocol_port_range_dpo_alloc (void)
872 protocol_port_range_dpo_t *ppr_dpo;
874 pool_get_aligned (ppr_dpo_pool, ppr_dpo, CLIB_CACHE_LINE_BYTES);
875 memset (ppr_dpo, 0, sizeof (*ppr_dpo));
877 ppr_dpo->n_free_ranges = N_PORT_RANGES_PER_DPO;
884 add_port_range_adjacency (u32 fib_index,
885 ip4_address_t * address,
886 u32 length, u16 * low_ports, u16 * high_ports)
888 protocol_port_range_dpo_t *ppr_dpo;
889 dpo_id_t dpop = DPO_NULL;
892 fib_node_index_t fei;
894 .fp_proto = FIB_PROTOCOL_IP4,
902 * check to see if we have already sourced this prefix
904 fei = fib_table_lookup_exact_match (fib_index, &pfx);
906 if (FIB_NODE_INDEX_INVALID == fei)
909 * this is a first time add for this prefix.
911 ppr_dpo = protocol_port_range_dpo_alloc ();
916 * the prefix is already there.
917 * check it was sourced by us, and if so get the ragne DPO from it.
919 dpo_id_t dpo = DPO_NULL;
920 const dpo_id_t *bucket;
922 if (fib_entry_get_dpo_for_source (fei, FIB_SOURCE_SPECIAL, &dpo))
925 * there is existing state. we'll want to add the new ranges to it
928 load_balance_get_bucket_i (load_balance_get (dpo.dpoi_index), 0);
929 ppr_dpo = protocol_port_range_dpo_get (bucket->dpoi_index);
935 * there is no PPR state associated with this prefix,
936 * so we'll need a new DPO
938 ppr_dpo = protocol_port_range_dpo_alloc ();
942 if (vec_len (low_ports) > ppr_dpo->n_free_ranges)
943 return VNET_API_ERROR_EXCEEDED_NUMBER_OF_RANGES_CAPACITY;
947 for (i = 0; i < vec_len (low_ports); i++)
949 for (; j < N_BLOCKS_PER_DPO; j++)
953 if (ppr_dpo->blocks[j].low.as_u16[k] == 0)
955 ppr_dpo->blocks[j].low.as_u16[k] = low_ports[i];
956 ppr_dpo->blocks[j].hi.as_u16[k] = high_ports[i];
963 ppr_dpo->n_used_blocks = j + 1;
966 * add or update the entry in the FIB
968 dpo_set (&dpop, ppr_dpo_type, DPO_PROTO_IP4, (ppr_dpo - ppr_dpo_pool));
970 if (FIB_NODE_INDEX_INVALID == fei)
972 fib_table_entry_special_dpo_add (fib_index,
975 FIB_ENTRY_FLAG_NONE, &dpop);
979 fib_table_entry_special_dpo_update (fei,
981 FIB_ENTRY_FLAG_NONE, &dpop);
988 remove_port_range_adjacency (u32 fib_index,
989 ip4_address_t * address,
990 u32 length, u16 * low_ports, u16 * high_ports)
992 protocol_port_range_dpo_t *ppr_dpo;
993 fib_node_index_t fei;
997 .fp_proto = FIB_PROTOCOL_IP4,
1005 * check to see if we have sourced this prefix
1007 fei = fib_table_lookup_exact_match (fib_index, &pfx);
1009 if (FIB_NODE_INDEX_INVALID == fei)
1014 return VNET_API_ERROR_INCORRECT_ADJACENCY_TYPE;
1019 * the prefix is already there.
1020 * check it was sourced by us
1022 dpo_id_t dpo = DPO_NULL;
1023 const dpo_id_t *bucket;
1025 if (fib_entry_get_dpo_for_source (fei, FIB_SOURCE_SPECIAL, &dpo))
1028 * there is existing state. we'll want to add the new ranges to it
1031 load_balance_get_bucket_i (load_balance_get (dpo.dpoi_index), 0);
1032 ppr_dpo = protocol_port_range_dpo_get (bucket->dpoi_index);
1040 return VNET_API_ERROR_INCORRECT_ADJACENCY_TYPE;
1044 for (i = 0; i < vec_len (low_ports); i++)
1046 for (j = 0; j < N_BLOCKS_PER_DPO; j++)
1048 for (k = 0; k < 8; k++)
1050 if (low_ports[i] == ppr_dpo->blocks[j].low.as_u16[k] &&
1051 high_ports[i] == ppr_dpo->blocks[j].hi.as_u16[k])
1053 ppr_dpo->blocks[j].low.as_u16[k] =
1054 ppr_dpo->blocks[j].hi.as_u16[k] = 0;
1062 ppr_dpo->n_free_ranges = 0;
1064 /* Have we deleted all ranges yet? */
1065 for (i = 0; i < N_BLOCKS_PER_DPO; i++)
1067 for (j = 0; j < 8; j++)
1069 if (ppr_dpo->blocks[j].low.as_u16[i] == 0)
1070 ppr_dpo->n_free_ranges++;
1074 if (N_PORT_RANGES_PER_DPO == ppr_dpo->n_free_ranges)
1076 /* Yes, lose the adjacency... */
1077 fib_table_entry_special_remove (fib_index, &pfx, FIB_SOURCE_SPECIAL);
1082 * compact the ranges down to a contiguous block
1090 // This will be moved to another file and implemented post API freeze.
1092 ip6_source_and_port_range_check_add_del (ip6_address_t * address,
1096 u16 * high_ports, int is_add)
1102 ip4_source_and_port_range_check_add_del (ip4_address_t * address,
1106 u16 * high_ports, int is_add)
1110 fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id);
1114 remove_port_range_adjacency (fib_index, address, length,
1115 low_ports, high_ports);
1119 add_port_range_adjacency (fib_index, address, length,
1120 low_ports, high_ports);
1126 static clib_error_t *
1127 ip_source_and_port_range_check_command_fn (vlib_main_t * vm,
1128 unformat_input_t * input,
1129 vlib_cli_command_t * cmd)
1132 u16 *high_ports = 0;
1135 ip4_address_t ip4_addr;
1136 ip6_address_t ip6_addr; //This function will be moved to generic impl when v6 done.
1140 int is_add = 1, ip_ver = ~0;
1144 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
1146 if (unformat (input, "%U/%d", unformat_ip4_address, &ip4_addr, &length))
1150 (input, "%U/%d", unformat_ip6_address, &ip6_addr, &length))
1152 else if (unformat (input, "vrf %d", &vrf_id))
1154 else if (unformat (input, "del"))
1156 else if (unformat (input, "port %d", &tmp))
1158 if (tmp == 0 || tmp > 65535)
1159 return clib_error_return (0, "port %d out of range", tmp);
1161 this_hi = this_low + 1;
1162 vec_add1 (low_ports, this_low);
1163 vec_add1 (high_ports, this_hi);
1165 else if (unformat (input, "range %d - %d", &tmp, &tmp2))
1168 return clib_error_return (0, "ports %d and %d out of order",
1170 if (tmp == 0 || tmp > 65535)
1171 return clib_error_return (0, "low port %d out of range", tmp);
1172 if (tmp2 == 0 || tmp2 > 65535)
1173 return clib_error_return (0, "high port %d out of range", tmp2);
1176 vec_add1 (low_ports, this_low);
1177 vec_add1 (high_ports, this_hi);
1184 return clib_error_return (0, " <address>/<mask> not specified");
1187 return clib_error_return (0, " VRF ID required, not specified");
1189 if (vec_len (low_ports) == 0)
1190 return clib_error_return (0,
1191 " Both VRF ID and range/port must be set for a protocol.");
1194 return clib_error_return (0, " VRF ID can not be 0 (default).");
1198 rv = ip4_source_and_port_range_check_add_del
1199 (&ip4_addr, length, vrf_id, low_ports, high_ports, is_add);
1201 return clib_error_return (0, " IPv6 in subsequent patch");
1208 case VNET_API_ERROR_INCORRECT_ADJACENCY_TYPE:
1209 return clib_error_return
1210 (0, " Incorrect adjacency for add/del operation");
1212 case VNET_API_ERROR_EXCEEDED_NUMBER_OF_PORTS_CAPACITY:
1213 return clib_error_return (0, " Too many ports in add/del operation");
1215 case VNET_API_ERROR_EXCEEDED_NUMBER_OF_RANGES_CAPACITY:
1216 return clib_error_return
1217 (0, " Too many ranges requested for add operation");
1220 return clib_error_return (0, " returned an unexpected value: %d", rv);
1227 VLIB_CLI_COMMAND (ip_source_and_port_range_check_command, static) = {
1228 .path = "set ip source-and-port-range-check",
1229 .function = ip_source_and_port_range_check_command_fn,
1231 "set ip source-and-port-range-check <ip-addr>/<mask> [range <nn> - <nn>] [vrf <id>] [del]",
1236 static clib_error_t *
1237 show_source_and_port_range_check_fn (vlib_main_t * vm,
1238 unformat_input_t * input,
1239 vlib_cli_command_t * cmd)
1241 protocol_port_range_dpo_t *ppr_dpo;
1247 fib_prefix_t pfx = {
1248 .fp_proto = FIB_PROTOCOL_IP4,
1252 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
1254 if (unformat (input, "%U", unformat_ip4_address, &pfx.fp_addr.ip4))
1256 else if (unformat (input, "vrf %d", &vrf_id))
1258 else if (unformat (input, "port %d", &port))
1265 return clib_error_return (0, "<address> not specified");
1268 return clib_error_return (0, "VRF ID required, not specified");
1270 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
1271 if (~0 == fib_index)
1272 return clib_error_return (0, "VRF %d not found", vrf_id);
1275 * find the longest prefix match on the address requested,
1276 * check it was sourced by us
1278 dpo_id_t dpo = DPO_NULL;
1279 const dpo_id_t *bucket;
1281 if (!fib_entry_get_dpo_for_source (fib_table_lookup (fib_index, &pfx),
1282 FIB_SOURCE_SPECIAL, &dpo))
1287 vlib_cli_output (vm, "%U: src address drop", format_ip4_address,
1292 bucket = load_balance_get_bucket_i (load_balance_get (dpo.dpoi_index), 0);
1293 ppr_dpo = protocol_port_range_dpo_get (bucket->dpoi_index);
1298 rv = check_adj_port_range_x1 (ppr_dpo, (u16) port, 1234);
1300 vlib_cli_output (vm, "%U port %d PASS", format_ip4_address,
1301 &pfx.fp_addr.ip4, port);
1303 vlib_cli_output (vm, "%U port %d FAIL", format_ip4_address,
1304 &pfx.fp_addr.ip4, port);
1311 s = format (0, "%U: ", format_ip4_address, &pfx.fp_addr.ip4);
1313 for (i = 0; i < N_BLOCKS_PER_DPO; i++)
1315 for (j = 0; j < 8; j++)
1317 if (ppr_dpo->blocks[i].low.as_u16[j])
1318 s = format (s, "%d - %d ",
1319 (u32) ppr_dpo->blocks[i].low.as_u16[j],
1320 (u32) ppr_dpo->blocks[i].hi.as_u16[j]);
1323 vlib_cli_output (vm, "%s", s);
1331 VLIB_CLI_COMMAND (show_source_and_port_range_check, static) = {
1332 .path = "show ip source-and-port-range-check",
1333 .function = show_source_and_port_range_check_fn,
1335 "show ip source-and-port-range-check vrf <nn> <ip-addr> <port>",
1340 * fd.io coding-style-patch-verification: ON
1343 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob